By

May 2007
ii
 Project Report in
Partial Fulfillment of the
Requirement for the Award of a
Bachelor’s Degree in Telecommunications Engineering

Author OPIRA MOSES ALFONSE

Reg. NO 03/U/405/GV

Supervisor MR. GEORGE WALIGO

iii
 1st 2nd Av

Project Report in
Partial Fulfillment of the
Requirement for the Award of a
Bachelor’s Degree in Telecommunications Engineering

EE421 Individual Project

Author OPIRA MOSES ALFONSE

Reg. NO 03/U/405/GV

Supervisor MR. GEORGE WALIGO

Sign. ………….………… Date: ………...........

Coordinator MR. OKUONZI JOHN

Sign. ………….………… Date: ………...........

Head of Dept. MR. BUGA BEN

Sign. ………….………… Date: ………...........

iv
 DECLARATION

I, Opira Moses Alfonse, declare that this project is my original work achieved as a
result of having made intensive research about software-based monitoring tools. This
work has never been submitted in any academic institution for the award of a degree
or anything else whatsoever.

I thus hereby present this project as consideration for the partial fulfillment of the
award of a Bachelor‟s Degree in Telecommunications Engineering as my final year
project.

Author:
OPIRA MOSES ALFONSE
B. Eng. Telecom. Eng. /IV
03/U/405/GV

Sign.……………………………

Date: ……………………………

v
 APPROVAL

I hereby approve that Opira Moses Alfonse has solely undertaken the aforementioned
project as partial fulfillment for the award of a Bachelors Degree in
Telecommunications Engineering, fourth year.

Internal Supervisor:

MR. GEORGE WALIGO

KYAMBOGO UNIVERSITY

Sign. …………………………. .

Date ……………………………

External Supervisor:

MR. LUBEGA AHMED

HUAWEI TECHNOLOGIES CO. LTD.

Sign. …………………………. .

Date ……………………………

vi
 DEDICATION

This project report is dedicated to my father, Mr. Moris Opira-P‟oria and mother Mrs.
Agnes Kaluba-Opira for all the constant support and undying love they have always
given me.

May the good lord bless them abundantly!

vii
 TABLE OF CONTENTS
DECLARATION ................................................................................................................................... V
APPROVAL ..........................................................................................................................................VI
DEDICATION .................................................................................................................................... VII
TABLE OF CONTENTS ................................................................................................................. VIII
ACKNOWLEDGEMENTS .................................................................................................................. X
ABREVIATIONS AND ACRONYMS ...............................................................................................XI
LIST OF FIGURES .......................................................................................................................... XIII
LIST OF SYMBOLS ......................................................................................................................... XIV
LIST OF TABLES .............................................................................................................................. XV
ABSTRACT ....................................................................................................................................... XVI
CHAPTER ONE ..................................................................................................................................... 1
INTRODUCTION ................................................................................................................................... 1
1.0 Background to the Study ................................................................................................. 1
1.1 Problem Statement ........................................................................................................... 2
1.2 Aim ................................................................................................................................... 3
1.3 Objectives ......................................................................................................................... 3
1.4 Significance of the Study ................................................................................................. 3
1.5 Scope of the Study ............................................................................................................ 4
1.6 Methodology ..................................................................................................................... 4
1.7 Summary .......................................................................................................................... 5
CHAPTER TWO .................................................................................................................................... 6
THEORETICAL BACKGROUND ............................................................................................................ 6
2.0 Overview of Network Monitoring .................................................................................... 6
2.1 Network Monitoring Parameters ..................................................................................... 6
2.1.1 Importance of Bandwidth ........................................................................................................ 7
2.1.1.1 Bandwidth Measurements ............................................................................................. 7
2.2 Network Monitoring Modes ............................................................................................. 9
2.2.1 Passive Monitoring ................................................................................................................... 9
2.2.2 Active Monitoring: ................................................................................................................... 9
2.3 Network Architectures ..................................................................................................... 9
2.3.1 Local Area Networks .............................................................................................................. 10
2.3.2 Wide Area Networks .............................................................................................................. 10
2.4 Network Models ............................................................................................................. 10
2.4.1 OSI Reference model .............................................................................................................. 10
2.4.2 TCP/IP model ......................................................................................................................... 12
2.4.3 OSI Network Management model ......................................................................................... 13
2.5 Network Protocols .......................................................................................................... 14
2.5.1 Layer 4 Protocols .................................................................................................................... 15
2.5.2 Layer 3 Protocols .................................................................................................................... 16
2.5.3 Layer 2 Protocols .................................................................................................................... 16
2.5.4 Layer 1 Protocols .................................................................................................................... 16
2.6 Port Numbers ................................................................................................................. 17
2.6.1 Well-known port numbers ..................................................................................................... 17
2.7 Data Encapsulation and Decapsulation ........................................................................ 18
2.7.1 Encapsulation/Decapsulation Process ................................................................................... 18
2.7.2 Ethernet Frame Structure ..................................................................................................... 19
2.8 Approaches to Network Monitoring .............................................................................. 20
2.8.1 Software-based Monitoring Tools ......................................................................................... 20
2.8.2 Command-line utilities ........................................................................................................... 21
2.8.3 SNMP Approach .................................................................................................................... 22
2.9 WinPcap Architecture .................................................................................................... 22
2.9.1 Structure of the Capture Stack ............................................................................................. 23

viii
 2.9.1.1 Network Level .............................................................................................................. 23
2.9.1.2 Kernel-Level ................................................................................................................. 23
2.9.1.3 User-Level..................................................................................................................... 23
2.10 Application Programming Interface ............................................................................. 25
2.11 Summary ........................................................................................................................ 25
CHAPTER THREE.............................................................................................................................. 26
DESIGN AND IMPLEMENTATION ....................................................................................................... 26
3.0 Design Stages ................................................................................................................. 26
3.1 Dynamic Link Library ................................................................................................... 26
3.1.1 Loading the Dynamic Link Library ...................................................................................... 26
3.1.2 Getting Function Addresses ................................................................................................... 27
3.2 Program Algorithm ........................................................................................................ 28
3.3 High-Level Programming.............................................................................................. 29
3.4 Graphical User Interface ............................................................................................... 29
3.4 Summary ........................................................................................................................ 30
CHAPTER FOUR ................................................................................................................................ 31
TESTING AND EVALUATION .............................................................................................................. 31
4.0 Test Bed Design ............................................................................................................. 31
4.1 Evaluation of Results ..................................................................................................... 32
4.1.1 Captured Devices .................................................................................................................... 32
4.1.2 IP Information ........................................................................................................................ 33
4.1.3 Capture Statistics ................................................................................................................... 34
4.2 Applications.................................................................................................................... 34
4.3 Limitations ..................................................................................................................... 35
4.4 Scheduling of Tasks ....................................................................................................... 35
4.5 Project Costing ............................................................................................................... 35
CONCLUSION ..................................................................................................................................... 36
RECOMMENDATIONS ..................................................................................................................... 38
BIBLIOGRAPHY................................................................................................................................. 39
TEXTBOOK REFERENCES.................................................................................................................. 39
CATALOGUES .................................................................................................................................... 39
TECHNICAL REPORTS AND JOURNALS ............................................................................................. 39
MANUALS .......................................................................................................................................... 40
APPENDICES ...................................................................................................................................... 41
APPENDIX A: PROJECT COSTING ............................................................................................... 41
APPENDIX B: WORK BREAKDOWN STRUCTURE ........................................................................ 42
APPENDIX C: TRACKING GANTT CHART.................................................................................... 43
APPENDIX D: WELL KNOWN PORT NUMBERS ........................................................................... 44
APPENDIX E: EXPORTED WINPCAP FUNCTIONS ....................................................................... 46

ix
 ACKNOWLEDGEMENTS

Works of this nature cannot be created in a vacuum, and I am indebted to a number of

people for the help and support they have given me throughout the course of this
project.

First and foremost, I wish to extend my sincere thanks to the Almighty Lord for
having kept me well all throughout the entire period of the project work.

I also convey my sincere gratitude to my supervisor, Mr. George Waligo for being my
mentor and inspiring me to reaching greater heights.

Many thanks also go to my parents for their loving care and support they have always
shown in many ways more than one.

I am also grateful to my fellow colleagues, Kangabe Rebecca, Kalyango Moses,

Sserunjogi Solomon Micheal and Mugisha Moses for helping me brainstorm and
pointing out merits and flaws in my ideology.

Finally I wish to extend my acknowledgements to my external supervisor, Mr. Lubega

Ahmed for scrutinizing this work.

x
 ABREVIATIONS AND ACRONYMS

ANSI American National Standards Institute

API Application Programming Interface
ARP Address Resolution Protocol
BPF Berkeley Packet Filter
Bps Bits per second
CCITT Comité Consultatif International Téléphonique et Télégraphique
CMIP Common Management Information Protocol
CSMA/CD Carrier Sense Multiple Access/Collision Detection
DBMS Database Management System
DLL Dynamic Link Library
DNS Domain Name Server
DSL Digital subscriber line
EIA Electronic Industries Alliance/Association
FAQ's Frequently Asked Questions
FDDI Fiber Distributed Data Interface
FTP File Transfer Protocol
GL Graphics Library
GUI Graphical User Interface
HTTP HyperText Transfer Protocol
ICMP Internet Control Message Protocol
IDE Integrated Development Environment
IEEE Institute of Electrical and Electronic Engineers
IP Internet Protocol
ISDN Integrated Services Digital Network
ISO International Organization for Standardization
ITU International Telecommunications Union
Kbps Kilobits per second
LAN Local Area Network
MAC Media Access Controller
Mbps Megabits per second
MIB Management Information Base

xi
NDIS Network Driver Interface Specification)
NFS Network File System
NIC Network Interface Card
OSI Open System Interconnection
PDU Protocol Data Unit
PPP Point-to-Point Protocol
RARP Reverse Address Resolution Protocol
RFC Request for Comments
SDK Standard Development Kit
SLIP Serial Line Internet Protocol
RARP Reverse Address Resolution Protocol
SMTP Simple Mail Transfer Protocol
SNMP Simple Network Management Protocol
SONET Synchronous Optical Network
TCP Transmission Control Protocol
TFTP Trivial File Transfer Protocol
TIA Telecommunications Industry Association
UDP User Datagram Protocol
VoIP Voice over IP
WAN Wide Area Network
Win32 Windows 32-bit Operating System
WinPcap Windows Packet Capture
WWW World Wide Web
XP eXtreme Programming

xii
 LIST OF FIGURES

Figure 1: Theoretical/digital bandwidth formula ........................................................... 8

Figure 2: Throughput formula ....................................................................................... 8
Figure 3: Network Models ........................................................................................... 12
Figure 4: Protocols ....................................................................................................... 14
Figure 5: Encapsulation/decapsulation within a network stack ................................... 19
Figure 6: Capture Stack ............................................................................................... 24
Figure 7: Program Algorithm....................................................................................... 28
Figure 8: Graphical User Interface .............................................................................. 29
Figure 9: Graphical Capture Statistics ......................................................................... 30
Figure 10: Test Bed Setup............................................................................................ 31
Figure 13: Captured devices ........................................................................................ 32
Figure 14: IP address information................................................................................ 33
Figure 15: Captured statistics information ................................................................... 34

xiii
 LIST OF SYMBOLS

.EXE Executable file

BIN Binary Folder
COFF Visual C++ library format
E1 2.048 Mbps
E3 34.064 Mbps
Hz Hertz
IEEE 802.3 Ethernet
IEEE 802.5 Token Ring
IMPDEF Import Definition File
OMF Builder C++ library format
T1 1.544 Mbps
T3 44.736 Mbps

xiv
 LIST OF TABLES

Table 1: Table of Functions ......................................................................................... 27

Table 2: T568A Standard ............................................................................................. 31
Table 3: T568B Standard ............................................................................................. 31

xv
 ABSTRACT

Computer networks have been experiencing exponential growth over the past few
decades. As a result the need for network monitoring has become a vital aspect for
ensuring network efficiency. With over 50,000 networks, 6 million hosts, 30 million
users and still counting, the World Wide Web (WWW) has become the dominant
network accelerating Internet growth. This project analyzes the need to develop a
software-based monitoring tool capable of monitoring various network parameters
essential for optimizing network performance and ensuring efficient use of network
resources.

Such a tool should be able to aid network administrators in simplifying their daily
tasks of ensuring that network performance is achieved to desired standards. A large
set of network monitoring tools currently existing on the market today are generally
accessible only to network engineers and tend to be very expensive due to the
integration of hardware and/or are vendor specifications or limited in scope of the
parameters to which they monitor.

This project therefore sets out to design software tailored to specific user requirements
that can be easily upgraded to meet future needs or demands. The software-based
solution is meant to provide accurate, comprehensive, flexible, in-expensive and on-
demand, network monitoring capabilities throughout the entire network and inter-
connecting segments.

By Opira Moses Alfonse

Copyright© 2007, Opira Moses Alfonse.
alfonseo@gmail.com

xvi
 CHAPTER ONE
Introduction
1.0 Background to the Study
The field of network management has become a vital aspect in modern computer
networks. Today‟s networks tend to be heterogeneous, comprising of a variety of
computers, hubs, switches, bridges, routers and various other network devices from
different manufacturers. Society is increasingly becoming more dependent on
computers linked to various types of networks (e.g. LANs, MANs, WANs) most
notably the Internet which has consequently resulted in the exponential growth of
networks. The task of monitoring and managing network resources has therefore
become more taxing and complex. Network administrators are consequently faced
with the challenge of ensuring that customer satisfaction is guaranteed through
constant monitoring and management of network resources.

There are two main types of network monitoring tools which exist on the market
today; the first being dedicated hardware monitoring tools. These provide high
performance characteristics, but lack flexibility and are generally more expensive.
The second option is software-based monitoring tools which are usually slower in
comparison to the former but are much cheaper and offer the added advantage of
flexibility in terms of software modifications and upgrades. The software-based
option is the preferred solution used in most modern networks and forms the basis of
this project.

Without information about a stream of data packets from intermediate hops within a
network, end-to-end systems (interconnected) are often unable to identify and
diagnose problems within the network. For network monitoring software to efficiently
monitor network performance, the application must first know the current network
properties and what is happening to its data. By capturing data packets and analyzing
them, information can be gathered about the source of the packets, their usefulness,
and quantity.

With such gathered information, a network administrator can thus be able to deduce
which client machines are utilizing extraordinary amounts of bandwidth at the
expense of other users, the presence of daemon software running on the network,
hacker intrusions and so on.

1
This project work sets out to identify several common problems that are not
adequately addressed by existing software monitoring tools and also addresses the
end-user side of the problem. The software development is intended to be open
source, implying that the source code is freely available to any interested
programmers wishing to enhance the scope of the software.

1.1 Problem Statement

With the rapid growth of the Internet and networks in general, network monitoring
has become a vital aspect in ensuring overall network performance efficiency
considering the economic costs of network downtime. End-users, network and system
administrators currently have very few, limited and expensive monitoring tools at
their disposal to aid them in efficiently monitoring IP network performance
parameters like bandwidth usage, data transfer rates and traffic distribution within the
entire network.

Imagine a network administrator running an Internet café and monitoring over a

hundred (100) computers from one terminal while various customers are utilizing the
shared bandwidth resource on both the LAN and Internet. One customer making
numerous downloads and bulky data transfers across the LAN significantly affects the
overall performance of the entire network at the expense of other users. On the other
hand, an experienced hacker half way across the globe can easily gain unauthorized
access to any one of the computers within the Internet café‟s LAN so as to conduct
malicious activity.

It is thus obvious that such a scenario would be hectic, if not impossible for the
network administrator to monitor and avert individually from each of the hundreds of
workstations in the Internet café.

Therefore, this project addresses this problem by designing a software-based network

monitoring tool capable of efficiently monitoring overall IP network performance
parameters from a single workstation.

2
1.2 Aim
The main aim of this project is to design and implement a software-based monitoring
tool for IP networks.

1.3 Objectives
The specific objectives of this project are as follows;
i) To design and develop a software-based tool capable of efficiently monitoring
IP network parameters.
ii) To design and develop a software tool capable of aiding network
administrators in carrying out their daily responsibilities.
iii) To design and develop software that has a user-friendly graphical user
interface (GUI).
iv) To design and develop software that is open source and easily upgradeable.

1.4 Significance of the Study

The software-based monitoring tool is meant to be able to assist network
administrators in making informed decisions about how to improve network
performance based on gathered statistics or information from the software. With such
a tool, network bandwidth usage (for example within corporate organizations) which
is a vital aspect for proper and efficient running of daily activities can be properly and
efficiently monitored with the aim of making informed decisions on how to optimize
network performance.

Another very crucial requirement for corporate organizations is data security within
Intranets and LANs. By analyzing different ports for intrusion detection (for example
hackers) and malicious daemon software like spyware, malware etcetera such
problems can be identified by the software and appropriate action taken by the
network administrator thereafter.

With this software, a network administrator should be able to ensure that network
uptime and efficiency are optimized to client satisfaction and in the event of
problems, informed troubleshooting measures taken based on information gathered by
the software.

3
1.5 Scope of the Study
The scope of this project included the following;
Intensive studying of how networks operate in general with the aid of network
models (for example OSI reference model and TCP/IP models) and also
research on various protocols, and Protocol Data Units (PDU's) like frames
structure, packets and their fields.
Research work on network programming using C++ (with ports and sockets)
on Win32 platforms.
Acquaintance with a public Application Programming Interface (API) called
WinPcap, which was be used to interface the software with the operating
system‟s kernel.
Designing and compilation of the source code using Borland‟s C++ Builder
6.0‟s Integrated Development Environment (IDE) and WinPcap.
Testing, analysis and evaluation of statistics gathered by the software on a
working LAN.

1.6 Methodology
The following categorical steps were carried out in order to achieve the aim of the
project;
a) Making comparative investigations and analysis of various software-based
monitoring tools available on the market today (that is; limitations, operation,
capabilities etcetera).
b) Researching from various sources about how networks operate (basing on the
TCP/IP and OSI reference models) and network monitoring from various
primary sources like the Internet, Textbooks and Journals.
c) Conducting consultative or informative meetings with internal and external
supervisors concerning the project scope.
d) Acquaintance with network programming in C++, with particular emphasis on
Borland‟s C++ Builder 6.0 as the chosen IDE to use for developing the
software application.
e) Obtaining a public Application Programming Interface (API) to use for
interfacing the compiled program with the Operating System‟s Kernel. An
open-source library was therefore obtained called “WinPcap” (Windows
Packet Capture) from the Internet site: http://www.winpcap.org.

4
 f) Compiling source code with the aid of exported functions from the WinPcap
API for using gathered theory from various sources as elaborated above.
g) Participating in online discussion forums (blogs) on the internet and reading
FAQ‟s from various sites so as to get first hand assistance from other
programmers.
http://www.tcpdump.org/wpcap.html
http://winpcap.mirror.ethereal.com/misc/faq.html
http://netgroup/winpcap
h) Designing of a simple peer-to-peer network to use as a test bed for the
developed software application.
i) Analysis of captured data from the software program, so as to present it in an
easily comprehendible form using the software‟s GUI.
j) Carrying out various tests and evaluations of the software program on different
versions of Windows (Windows 95/98/2000/XP) and different network
protocols for example dial-up PPP and Ethernet to check for any compatibility
issues.

1.7 Summary
This chapter gives a brief introduction of what the project is all about and its
relevance in today‟s society. It also lays out a specified number of objectives and an
overall aim alongside giving the significance and scope of the project and how the
overall activities in the project were carried out.

5
 CHAPTER TWO
Theoretical Background
2.0 Overview of Network Monitoring
Networking basically refers to connecting two or more computers for the purpose of
sharing various hardware, software, and data resources.

According to wikipedia (en.wikipedia.org/wiki/networkmonitoring), the term network

monitoring describes the use of a system that constantly monitors a computer network
for slow or failing systems and that notifies the network administrator in case of
outages via email, pager or other alarms.

On the other hand, Guy Antony Halse (2003) refers to network monitoring as a system
that simply observes and reports on a network, without taking any corrective action of
its own accord.

Network monitoring is very often confused or taken as synonymous to network

management. However, network management according to www.100best-web-
hosting.com/termn.html refers to a set of activities (e.g. network monitoring, gathering
and analyzing the statistics, adjusting network configuration) performed in order to
increase the network performance and availability. This therefore implies that network
monitoring is a subset of network management.

2.1 Network Monitoring Parameters

Network monitoring parameters are essential in ensuring that optimal network
performance is achieved. There are several parameters that affect network
performance, the most important being bandwidth. Other factors affecting network
performance include the following;
Type of data being transferred
Network topology, Internetworking devices
Number of users on the network
User computer specifications, activity

In the interest of the project scope, bandwidth is elaborated in further detail.

6
2.1.1 Importance of Bandwidth
Bandwidth is defined as the amount of information that can flow through a network in
a given period of time. Bandwidth is a limited resource and it is important to
understand the concept of bandwidth for the following reasons.

Cost factor: the cost of bandwidth increases proportionally with cost. Very high
bandwidth is possible within LANs depending on the end-user equipment being used.
However, for WAN connections like the Internet, it is usually necessary to buy
bandwidth from a service provider along with the appropriate equipment which can be
quite costly. In such cases, individual users and businesses can save a lot of money if
they understand bandwidth and how its demand changes over time.

For analysis of network performance: bandwidth is an important factor that can be

used to analyze network performance of networks. A networking administrator must
understand the tremendous impact of bandwidth and throughput on a networks‟
performance. Information flows as a stream of bits from computer to computer
throughout the world. These bits represent massive amounts of information flowing
back and forth across the globe in seconds or less.

Limited capacity: regardless of the media being used to build a network, there are
limits on the network capacity to carry information. Bandwidth is limited by the laws
of physics and by the technologies used to place information on the media.

Increasing demand: as new technologies (for example Voice-Over IP, „VoIP‟),

streaming video conferencing) and infrastructure are built, new applications are
created which require greater bandwidth capacity consequently resulting in the
increased demand for bandwidth.

2.1.1.1 Bandwidth Measurements

Although the terms bandwidth and speed are often used interchangeably, they are not
exactly the same.

7
Digital bandwidth measures how much information can flow from one place to
another in a specified amount of time. The fundamental unit of measurement for
digital bandwidth is bits per second (bps). Since LANs are capable of speeds up to
thousands or millions of bits per second, measurements are normally expressed in
kilobits per second (kbps) or megabits per second (mbps). Physical media, current
technologies, and the laws of physics limit bandwidth. Digital Bandwidth varies
depending upon the type of media as well as the LAN and WAN technologies used.
The physical differences in the way signals travel result is a fundamental limitations
on the information carrying capacity of a given medium. However, the actual
bandwidth of a network is determined by a combination of the physical media and the
technologies chosen for signaling.

Analog bandwidth on the other hand refers to the frequency range of analog
electronic systems. Analog bandwidth can be used to describe the range of
frequencies transmitted by a radio station or an electronic amplifier. The unit of
measurement for analog bandwidth is hertz (Hz), the same as the unit of frequency.

For the purpose of the project, Digital Bandwidth was reviewed in further detail.

Figure 1: Theoretical/digital bandwidth formula

Theoretical File Size (Bits)

Bandwidth =
(Bps) File Transfer
time (Seconds)

Throughput refers to the actual measured bandwidth, at specific times of the day,
using specific Internet routes, and while a specific set of data is transmitted on the
network.
Actual File Size (Bits)
Throughput =
Figure 2: Throughput formula File Transfer
(Bps)
Time (Seconds)

Note:
The result is an estimate only, because the file size does not include any
overhead (additional information) added by encapsulation process.
Throughput formula gives a more accurate value of bandwidth.

8
2.2 Network Monitoring Modes
Network monitoring modes refer to the manner in which information is extracted by
monitoring tools. There are basically two modes for monitoring networks currently
adopted as follows;

2.2.1 Passive Monitoring

Many network monitoring tools are designed to passively monitor network traffic on a
particular subnet or passing through a particular gateway. Passive monitoring
sometimes called promiscuous monitoring is a mode which simple listens and
intercepts transiting traffic on a network. Passive monitoring is often the simplest
form of monitoring to implement, since it does not require any cooperation from the
monitored hosts. It looks directly at the traffic passing over the networks shared
media. Historical performance information of this sort may be used to determine
network growth and predict usage patterns.

2.2.2 Active Monitoring:

An alternative to passive monitoring is active monitoring. This refers to systems
which actively attempt to retrieve information (through probing or querying) from
remote hosts. Dedicated management protocols like SNMP (Simple Network
Management Protocol) and CMIP (Common Management Information Protocol) are
examples of forms of active network monitoring. Useful information about a network
can also be obtained by querying remote hosts using normal communication
protocols.

2.3 Network Architectures

Networks are categorized according to their geographical scope or area of coverage.
Various types of networks exist as follows;
Local area networks
Metropolitan area networks
Wide area networks

9
2.3.1 Local Area Networks
A Local Area Network (LAN) is a collection of computers that share hardware,
software, and data over a relatively smaller geographical area than usually limited to
buildings. Some common LAN technologies include the following;
Ethernet (IEEE 802.3): uses a bus topology and relies on Carrier Sense
Multiple Access/Collision Detection (CSMA/CD) to regulate traffic on a
network.
Token Ring (IEEE 802.5): uses a logical ring topology and relies on token
passing to control information flow.
Fiber Distributed Data Interface (FDDI): uses a logical ring topology to
control information flow and a physical dual-ring topology.

2.3.2 Wide Area Networks

A Wide Area Network (WAN) is a network of computers, terminals, and peripheral
devices that are located over a very large geographical area. WANs interconnect
LANs, which then provide access to computers or file servers in other locations. Some
common WAN technologies include the following:
Integrated Services Digital Network (ISDN)
Digital subscriber line (DSL)
Frame Relay
T1, E1, T3, and E3
Synchronous Optical Network (SONET)

2.4 Network Models

In order for one to properly understand the concept of network monitoring, a review
of networking models is of prime importance since it forms the basis for which the
task of monitoring networks effected. For the purpose of this work, the Open
Standards Interconnect (OSI) Reference model, OSI Network Management model and
TCP/IP models are reviewed.

2.4.1 OSI Reference model

According to, Todd Lammle, (2005), the OSI reference model was created in the late
1970s, by the ISO for standardization. The OSI model was meant to help vendors
create interoperable network devices and software in the form of protocols so that
different vendor networks could work with each other.

10
The OSI Reference model is an attempt by the International Standards Organization
(ISO) to standardize the way that computer systems communicate with each other.
Although there are several OSI models, the most widely used one is the OSI
Reference model (figure 3a). This seven layer model is intended to ensure
interoperability between different protocols and methods of communication.

The seven layers of the OSI reference model are as follows;

1. The Physical layer (layer one) is concerned with the transmission of raw binary
data over a communications channel using various media such as wires,
connectors, fiber. The Protocol Data Unit (PDU) at this layer is called the bit.
2. The Data link layer (layer two) takes the raw transmission function and
converts it into an error free transmission channel and ensures reliable transfer
of data across media, connectivity and path selection between host systems. The
PDU at this layer is called the frame.
3. The Network layer (layer three) is concerned with connectivity and routing or
best path selection of packets from source to destination. It also provides
reliable transfer of data across media. The PDU at this layer is called the packet.
4. The Transport layer (layer four) is concerned with the task of accepting data
from the session layer, breaking it into smaller fragments if necessary and
passing it to the network layer. This layer also reassembles the data fragments at
the destination and ensures that all parts are correctly received. Transmission
Control Protocol (TCP) and the User Datagram Protocol (UDP) operate at this
level.
5. The Session layer (layer five) allows users on differing machines to establish
sessions between the machines and also provides authentication.
6. The presentation layer (layer six) ensures that data is encoded in the correct
format for the application or transport that is being used.
7. The application layer (layer seven) is where all end-user applications sit. This
layer supports the hundreds of different user protocols used to perform various
tasks, such as e-mail, file transfer, etcetera.

11
 Protocol Data Units

OSI Reference Model TCP/IP Model

7 APPLICATION

4 APPLICATION
6 PRESENTATION Data

5 SESSION

4 TRANSPORT
Data 3 TRANSPORT
Segments

3 NETWORK
Packets 2 INTERNET

2 DATA LINK Frames

1 NETWORK
ACCESS
1 PHYSICAL Bits

Figure 3: Network Models

2.4.2 TCP/IP model
The OSI model is mostly used for educational purposes; a more practical model the
TCP/IP model (Figure 3b) is more often used to describe how the Internet operates.
Reference to this model is useful in order to understand the concept of network
monitoring.

Although some of the layers in the TCP/IP model have the same names as layers in
the OSI model, the layers of the two models do not correspond exactly. Most notably,
the application layer has different functions in each model.

The TCP/IP model has the following four layers as follows;

1. Application layer: this layer includes the OSI session and presentation
layer details. It also handles issues of representation, encoding, and dialog
control of data.
2. Transport layer: this layer deals with the quality of service issues of
reliability, flow control, and error correction. One of its protocols, the
TCP, provides excellent and flexible ways to create reliable, well-flowing,
12
 low-error network communications. TCP is a connection-oriented protocol
meaning that it maintains a dialogue between source and destination while
packaging application layer information into units called segments.
Connection-oriented does not mean that a circuit exists between the
communicating computers.
3. Internet layer: the purpose of this layer is to divide TCP segments into
packets and send them from any network. The packets arrive at the
destination network independent of the path they took to get there. The
specific protocol that governs this layer is called the Internet Protocol (IP).
Best path determination and packet switching occur at this layer.
4. Network Access layer: this layer is also known as the host-to-network
layer. It is concerned with all of the components, both physical and logical,
that are required to make a physical link. It includes the networking
technology details, including all the details in the OSI physical and data
link layers.

2.4.3 OSI Network Management model

Another less commonly used OSI model; the OSI network management model is
specifically addresses the task of network monitoring. This model describes the tasks
associated with managing modern computer networks, and provides a way to define
relationships between various tasks. Although this model refers to network
management, a large proportion of the ideas it contains are applicable to the role of
network monitoring. This management model addresses five conceptual areas, being:
performance management, configuration management, accounting management, fault
management and security management Rose (1991).

With interest to the project scope, only the area of performance management
contained in the OSI Network Management model is examined.

Performance Monitoring: this looks at the current and expected performance of the
network. Elements of network performance that may be monitored include network
bandwidth/throughput, availability, and utilization. This information may be
compared to theoretical performance levels or historical averages in order to
determine how well the network is currently performing. Unusual changes in
performance may help to predict network faults before they occur, enabling network
monitoring.
13
2.5 Network Protocols
According to Tim Parker (2001), a protocol is a formal description of a set of rules
and conventions that govern a particular aspect of how devices on a network
communicate. Because telecommunications systems use a wide variety of hardware
and software, protocols are needed to coordinate communication.

Protocols determine the format, timing, sequencing, and error control in data
communication. Without protocols, computers cannot make or rebuild streams of
incoming bits from another computer into their original format. Protocol suites on the
other hand are collections of protocols that enable network communication between
hosts. Protocols control all aspects of data communication, including the following:
How the physical network is built
How computers connect to the network
How the data is formatted for transmission
How that data is sent
These network rules are created and maintained by many different organizations and
committees. Included in these groups are the Institute of Electrical and Electronic
Engineers (IEEE), American National Standards Institute (ANSI),
Telecommunications Industry Association (TIA), Electronic Industries Alliance (EIA)
and the International Telecommunications Union (ITU), formerly known as the
Comité Consultatif International Téléphonique et Télégraphique (CCITT).

Some examples of the most common protocols specified by the TCP/IP reference
model layers are illustrated in figure 4 below.

Application
Layer 4

Transport
Layer 3

ICMP ARP RARP

Internet
Layer 2 IP

Network Access
Layer 1 Ethernet Token FDDI
Ring
Figure 4: Protocols
14
2.5.1 Layer 4 Protocols
File Transfer Protocol (FTP) is a reliable, connection-oriented service that uses TCP
to transfer files between systems that support FTP. It supports bi-directional binary
file and ASCII file transfers.

Trivial File Transfer Protocol (TFTP) is a connectionless service that uses the UDP.
TFTP is used on the router to transfer configuration files and Cisco IOS images, and
to transfer files between systems that support TFTP. It is useful in some LANs
because it operates faster than FTP in a stable environment.

Network File System (NFS) is a distributed file system protocol suite developed by
Sun Microsystems that allows file access to a remote storage device such as a hard
disk across a network.

Simple Mail Transfer Protocol (SMTP) administers the transmission of e-mail over
computer networks. It does not provide support for transmission of data other than
plain text.

Telnet; Telnet provides the capability to remotely access another computer. It enables
a user to log into an Internet host and execute commands. A Telnet client is referred to
as a local host. A Telnet server is referred to as a remote host.

Simple Network Management Protocol (SNMP) is a protocol that provides a way to

monitor and control network devices. SNMP is also used to manage configurations,
statistics, performance, and security.

Domain Name System (DNS) is a system used on the Internet to translate domain
names and publicly advertised network nodes into IP addresses.

15
2.5.2 Layer 3 Protocols
Transmission Control Protocol (TCP) is a communications protocol that provides
reliable (connection-oriented) transfer of data and defines how data is transferred
across the Internet. The functions of TCP are as follows:
Establishing end-to-end connectivity
Providing flow control
Ensuring reliability through the use of sequence numbers and
acknowledgments
Segment upper-layer application data
Send segments from one end device to another

User Datagram Protocol (UDP) is a connectionless-oriented protocol, meaning that

it does not provide for the retransmission of datagram‟s. UDP functions are as
follows;
Segment upper-layer application data
Send segments from one end device to another

2.5.3 Layer 2 Protocols

Internet Protocol (IP) this is a connectionless protocol which defines how data is
divided into packets for transmission and also determines the best-effort path or route
for each packet to traverse between computers.

Internet Control Message Protocol (ICMP) provides control and messaging

capabilities.

Address Resolution Protocol (ARP) determines the data link layer address, or MAC
(Media Access Controller) address, for known IP addresses.

Reverse Address Resolution Protocol (RARP) determines the IP address for a

known MAC address.

2.5.4 Layer 1 Protocols

Layer 1 is responsible for ensuring that IP packets make physical links with network
media. It includes the LAN and WAN technology details and all the details contained
in the OSI physical and data link layers.

16
Software drivers for software applications (including WinPcap), modem cards, and
other devices operate at the network access layer. The network access layer defines
the procedures used to interface with the network hardware and access the
transmission medium.

Serial Line Internet Protocol (SLIP); Modem protocol standards used to provide
network access through a modem connection.

Point-to-Point Protocol (PPP); Modem protocol standards used to provide network

access through a modem connection.

Network access layer protocols map IP addresses to physical hardware addresses and
encapsulate IP packets into frames. The network access layer defines the physical
media connection based on the hardware type and network interface.

2.6 Port Numbers

TCP and UDP must use port numbers to communicate with the upper layers, because
they‟re what keep track of different conversations crossing the network
simultaneously. Originating source port numbers are dynamically assigned by the
source host and are equal to some number starting at 1024. 1023 and below are
defined in RFC 3232 (www.iana.org). Virtual circuits that don‟t use an application
with a well-known port number are assigned port numbers randomly from a specific
range instead. These port numbers identify the source and destination application or
process in the TCP segment. The different port numbers that can be used are as
follows;
Numbers below 1024 are considered well-known port numbers and are
defined in RFC 3232 (refer to Appendix D)
Numbers 1024 and above are used by the upper layers to set up sessions with
other hosts, and by TCP to use as source and destination addresses in the TCP
segment.
2.6.1 Well-known port numbers
Both TCP and UDP use well-known ports, also known as service contact ports. The
port names reflect the specific TCP and UDP applications. Ports are the end points of
a connection, providing a convenient method for accessing and addressing the
connection end. Appendix D has a list of the well-known port numbers and their port
names.
17
2.7 Data Encapsulation and Decapsulation
According to Pastore M., Dulaney and Emmett A. (2004), all communications on a
network originate at a source, and are sent to a destination. The information sent on a
network is referred to as data or data packets. When one computer is sending data to
another computer, the data must first be packaged through a process known as
encapsulation. The receiving computer on the other hand does removes additional
information to extract the data through a process known as decapsulation.

In simple terms, the process of adding header information is termed encapsulation,

whereas removing header information is termed decapsulation.

2.7.1 Encapsulation/Decapsulation Process

Networking application programs send messages or streams of data to one of the
Internet transport Layer protocols, either the User Datagram Protocol (UDP) or the
Transmission Control Protocol (TCP). These protocols receive the data from the
application, divide it into smaller pieces called TCP segments or UDP packets, add a
destination address, and then pass the packets down to the next protocol layer, the
network layer. The network layer encloses the packet in an Internet Protocol (IP)
datagram, adds the datagram header, decides where to send the datagram (either
directly to the destination system or indirectly via a router or gateway), and passes the
datagram down to the data link layer. The data link layer accepts IP datagram‟s,
encapsulates them within frames that are specific to the network hardware such as
Ethernet, Token-Ring or FDDI, and transmits these over the network. Frames
received by a host are processed through the protocol layers in the reverse order. Each
layer strips off the corresponding header information, until the data ends up at the
application layer. Frames are received by the data link layer which strips off the frame
header and trailer, and sends the datagram up to the network layer. The network layer
strips off the IP header and sends the packet up to the transport layer. The transport
layer strips off the TCP or UDP header and sends the data up to the application. As
hosts on a network can send and receive information simultaneously, data may be
traveling both up and down the layers of the networking stack at the same time.

18
Figure 5 below illustrates how each layer adds (or removes) header information to
data traveling away from (or toward) the application layer.

Figure 5: Encapsulation/decapsulation within a network stack

2.7.2 Ethernet Frame Structure

Since data capture for the project occurs at Layer 2, the frame structure of the layer 2
PDU is reviewed in further detail. Framing is the Layer 2 encapsulation process.
Frames are used to send upper-layer data and ultimately the user application data from
a source to a destination. A single generic frame has sections called fields. Each field
is composed of several bytes as illustrated in figure 6 below.

Figure 6: Generic Frame Format

Preamble: an alternating pattern of ones and zeros used to time synchronization in 10

Mbps and slower implementations of Ethernet. Faster versions of Ethernet are
synchronous so this timing information is unnecessary but retained for compatibility.
Start Frame field (SOF): SOF delimiter consists of a one-octet field that marks the
end of the timing information and contains the bit sequence 10101011.

19
Destination Field: this contains the destination address which can be either a unicast,
multicast, or broadcast.

Source field: this contains the MAC source address.

Length/Type field: specifies the exact length of a frame in bytes and the Layer 3
protocol used by the device that wants to send data.

Data field: This field is used for inserting data into the frame. If there is not enough
user data to insert so as to meet the minimum frame length, extra data called padding
is inserted.

Frame Check Sequence (FCS) field: contains a four byte number used by the
destination computer to calculate errors in the frame. The FCS can be calculated using
either Cyclic Redundancy check (CRC), Two-dimensional parity checks or Internet
checksum.

2.8 Approaches to Network Monitoring

There are basically two approaches commonly used when monitoring networks as
follows;
Software monitoring approach
Hardware monitoring approach

The Hardware alternative will not be discussed here because it is beyond the scope of
this project.

2.8.1 Software-based Monitoring Tools

According to Erwan L. (2006), there are numerous commercial and free software-
based monitoring tools currently available which on the market which address the task
of network monitoring. The software solution to network monitoring often involves
interfacing the software with independent capture drivers like RawIP, NDIS and
WinPcap.

20
Some common high-level programs for monitoring networks include the following;
Smart Sniff allows you to capture TCP/IP packets that pass through your
network adapter, and view the captured data as sequence of conversations
between clients and servers. http://www.nirsoft.net.

IpSniffer: this is a suite of IP Tools built around a packet sniffer.

http://erwan.l.free.fr

WinSniff is an application for capturing packets on the network. It displays all

the packets that are transmitted on the local network and gives detailed
information about each header in the packet. http://www.codeproject.com

Solar Winds Network Performance Monitor: This is a real-time network

monitor that can track network latency, packet loss, availability, traffic,
bandwidth utilization, CPU load, disk space utilization and memory.
http://www.solarwinds.net/

TrafMeter is a Windows-based tool providing real-time traffic accounting

and monitoring. http://lastbit.com/trafmeter

2.8.2 Command-line utilities

These are normally integrated within operating systems and run via command-lines
like DOS, Linux Shells and so on. Examples are as follows;
TCPDump is a command-line tool found in UNIX and its variants used to
dump TCP packets transiting through a network. The Windows equivalent is
called WinDump but does not come integrated with the operating system.

Tracert for Windows operating systems or Traceroute for UNIX operating is

used to trace routes of various hosts within a network including number of
hops and timestamp values.

Ping is a tool commonly used to test for network connectivity of various hosts
and network devices.

21
2.8.3 SNMP Approach
One of the most widely used approaches to network management is the Simple
Network Management Protocol (SNMP). This protocol was originally formulated in
1988 through RFC 1067. Since then it has undergone many changes and is currently
in version three of the protocol (as defined by RFC 1157).

The Simple Network Management Protocol (SNMP) is an application layer protocol

that facilitates the exchange of management information between network devices.
SNMP enables network administrators to manage network performance, find and
solve network problems, and plan for network growth. SNMP uses UDP as its
transport layer protocol. To retrieve network information, SNMP uses a technique
called MIB collection. This means that it goes from one network device to another
polling them about their status.

So far, low-level network monitoring applications have been examined. However,

many applications build on low-level protocols to provide a higher level view of the
network. Most often, these programs attempt to represent various aspects of the
network in a graphical format.

2.9 WinPcap Architecture

WinPcap is an architecture used for packet capture and network analysis for the
Win32 platforms, based on the model of Berkeley Packet Filter (BPF) and libpcap for
UNIX. WinPcap gives Win32 operating systems the capability to intercept and
capture packets transiting through a network with the aid of the local machines‟
network adapter. The architecture also has a high-level API that can be used to create
monitoring applications for Windows thus indirectly making it easier to use the
Wpcap‟s low-level capabilities.

WinPcap‟s architecture is subdivided into three separate components as follows:

a) Kernel-level Packet capture device driver.
b) Low-level dynamic library, Packet.dll.
c) High level and system independent dynamic library, Wpcap.dll.

Note: Although the term packet capture is synonymously with frame capture, but in
actual sense the latter is more appropriate, since the capture process is done at the
data-link layer of the OSI model.
22
2.9.1 Structure of the Capture Stack
In order for a software-based monitoring application to capture information, there is
need for direct interaction with the network hardware. For this reason the operating
system should offer a set of capture primitives to communicate and receive data
directly from the network adapter. Primitives are basically used to capture packets
from a network, and transfer them to the calling programs.

2.9.1.1 Network Level

At the lowest level of the capture stack is the network being monitored. The NIC
driver is used to capture packets that circulate within the network. During a capture
the network adapter usually works in either Active or Passive mode.

2.9.1.2 Kernel-Level
The packet capture section of the kernel should be quick and efficient because it must
be able to capture packets also on networks operating at various speeds like high-
speed LANs with heavy traffic, limiting losses of packets and using a small amount of
system resources. Packet Capture driver is the lowest level software module of the
capture stack. It is the part that works at kernel level and interacts with the network
adapter to obtain the packets. It supplies the applications a set of functions used to
read and write data from the network at data-link level. The Kernel also comprises a
filter which can be used to filter out various captured frames from the network
depending on the user‟s input.

2.9.1.3 User-Level
The user-level consists of the system independent dynamic link libraries wpcap.dll,
packet.dll and the capture application which receives packets from the system,
interprets, processes and outputs information to the user in an intelligible manner. The
Wpcap.dll is a system independent dynamic library that is used by the capture part of
the applications. It interacts with Packet.dll so as to provide the applications with a
higher level and powerful capture interface. Packet.dll works at the user level, but is
separated from the capture program. It is also dynamic link library that isolates the
capture programs from the driver providing a system-independent capture interface.

The software monitoring tool is the user interface of the capture program. It manages
the interaction with the user and displays the result of a capture.

23
The structure of the capture stack from the network adapter to an application level is
shown in figure 7 below.

SOFTWARE
MONITORING
TOOL
Wpcap.dll
USER
User Buffer LEVEL

Packet.dll

Packet Capture
Driver
Kernel Buffer
KERNEL
Filter LEVEL

NIC Driver

TCP/IP
NETWORK NETWORK
LEVEL

Figure 7: Capture Stack

Note: Buffers are used at the Kernel and User-levels to provide a temporary store for
captured frames.

24
2.10 Application Programming Interface
According to nhse.cs.rice.edu/nhsereview/cms/chapter6.html, an API is a set of
library routine definitions with which third party software developers can write
portable programs. Examples are the Berkeley Sockets for applications to transfer
data over networks, those published by Microsoft for their Windows GUI and the
Open/GL graphics library initiated by Silicon Graphics Inc. for displaying three
dimensional rendered objects.

In simple terms an API is a set of interface definitions (functions, subroutines, data

structures or class descriptions) which together provide a convenient interface to the
functions of a subsystem and which insulate the application from the minutiae of the
implementation. WinPcap‟s API has a set of routines that an application uses to
request and carry out lower-level services performed by a computer's operating
system.

The WinPcap API consists of a dynamic link library containing a lists of the functions
(refer to Appendix E). According to www.sabc.co.za/manual/ibm/9agloss.html, a
DLLis a file containing executable code and data bound to a program at load time or
run time, rather than during linking and can be loaded and executed by programs
dynamically. Several applications can share the code and data in a dynamic link
library simultaneously.

2.11 Summary
This chapter gives an overview of the relevant theory involved in the design and
implementation of this project with their references. An in-depth knowledge of this
theoretical background is a pre-requisite before any programming can begin since it
forms the basis for the project work.

25
 CHAPTER THREE
Design and Implementation
3.0 Design Stages
The design and implementation of the software-based monitoring tool involved
several stages (some of which are elaborated in the chapter four) as outlined below;
1. Developing an algorithm to use for capturing frames and analyzing captured
data.
2. Loading the system independent dynamic link library (wpcap.dll) into run-
time memory so as to exploit its functions, subroutines and data structures or
class descriptions.
3. Getting addresses of the library routines.
4. Compiling the source code for the monitoring tool based on the algorithm
developed.
5. Debugging errors and exceptions in the program source code.
6. Designing a simple peer-to-peer network to use as a test bed for the developed
software.
7. Simulating traffic conditions (for example data transfers across the peer-to-
peer network) and using the developed software to perform various tests and
evaluations for analysis of captured data.
8. Designing a user friendly GUI for the end-user.

3.1 Dynamic Link Library

Before the actual compilation of the program source code could actually begin, the
WinPcap API had to be loaded into memory (i.e. at run-time) so as to interface the
software-based monitoring tool with the low-level dynamic link library, “packet.dll”.

3.1.1 Loading the Dynamic Link Library

The LoadLibrary function is an inbuilt Windows API function incorporated within
C++ Builder and was thus used to load the wpcap.dll into memory at run-time using
the following code snippet;

HINSTANCE dllhandle = LoadLibrary(“wpcap.dll”);

NB. All code in the program was compiled in C++ using Borland‟s C++ Builder
IDE.

26
 3.1.2 Getting Function Addresses
Pointers to the individual DLL functions had to be declared in the function prototypes
since the DLL loads in a different memory space (i.e. run-time) as illustrated in the
code snippet below;

int(*pcap_findalldevs_ex)(char *source, struct pcap_rmtauth *auth, pcap_if_t **alldevs, char *errbuf);

NB. The function prototypes were declared using pointers.

A list of all the functions exported by wpcap.dll is shown in Appendix E.

After declaring the individual functions to be exported by the DLL, function addresses
were obtained using the code snippet shown below for each individual function.

(FARPROC)(pcap_findalldevs_ex = GetProcAddress(“wpcap.dll”,"pcap_findalldevs_ex");

A brief summary of the functions exported from wpcap.dll is shown in table 1 below;

Function Name Function Description

pcap_compile( ) Compiles a packet filter by converting a high level filtering
expression in the Monitoring program to a form that can be
interpreted by the kernel-level filtering engine.
pcap_datalink( ) Returns the link layer of an adapter e.g. Dial-up or Network
Adapter (NIC).
pcap_dump( ) Saves the contents of frames to the disk i.e. dumping.
pcap_dump_open( ) Opens a file to write the contents of frames to.
pcap_findalldevs_ex( ) Creates a list of network devices to open with pcap_open
pcap_freealldevs( ) Frees an interface list returned by pcap_findalldevs
pcap_geterr( ) Returns the error text pertaining to the last pcap library error.
pcap_loop( ) Collects a group of frames.
pcap_next_ex( ) Reads a frame from an interface or from an offline capture
pcap_open( ) Opens a generic source in order to capture
pcap_setfilter( ) Associates a filter to a capture.
pcap_setmode( ) Sets the working mode of the interface.
pcap_stats_ex( ) Returns statistics on the current capture
Table 1: Table of Functions

27
3.2 Program Algorithm
A program flowchart was developed as illustrated in figure 8 below to ease the task of
developing the source code.

Figure 8: Program Algorithm

Note: The dotted sections of the flow chart were not successfully implemented in the
program code as stated in the limitations in chapter four.

28
3.3 High-Level Programming
The source code for the program was developed using Borland‟s C++ Builder 6.0
Integrated Development Environment (IDE). An IDE is a GUI workbench for
developing code, featuring facilities like symbolic debugging, version control, and
data-structure browsing.

Borland‟s C++ Builder 6.0‟s IDE combines the editor, compiler, debugger and other
useful tools in the same software package. The source code was therefore compiled
with the aid of the algorithm illustrated previously in figure 8.

The debugging process was also simplified using Builders IDE and a list of imported
functions generated using the MS-DOS command-line tool IMPDEF.exe. Another
useful command-line tool used “COFF2OMF.exe” converts a COFF import library
file (Input File) to a corresponding OMF import library file (Output File). Both these
tools are located in the C++ Builder BIN directory.

3.4 Graphical User Interface

After ensuring that there were no compile/run-time errors and the code was
performing its design function, a GUI was designed as shown in figure 9 below.

Example of list of interfaces

resident on machine obtained
using pcap_findalldevs_ex()

Figure 9: Graphical User Interface

29
Figure 10 below is an illustration of how the graphical output statistics of a frame
capture session are displayed.

Bytes Sent/Receive

Capture statistics
displayed graphically
i.e. Bytes sent/received
versus Time (msec)

Time (milliseconds)

Figure 10: Graphical Capture Statistics

A plot of the Bytes Sent/Received as captured by the software against Time in

milliseconds is plotted for a Network Administrator to analyze.

The bandwidth formulas in figures 1 and 2 were used to calculate the throughput rate
obtained in figure 10 above. File sizes are extracted using software implementation
from the data fields of individually captured frames along with time stamp values.

3.4 Summary
This chapter summarizes how the design and implementation of the project was
undertaken so as to achieve the desired results. It also presents illustration of how the
GUI of the software interface appears alongside its functionality.

30
 CHAPTER FOUR
Testing and Evaluation
4.0 Test Bed Design
The test bed used in carrying out tests and evaluating the software monitoring tools
performance as designed as illustrated in the peer-to-peer network shown in figure 11
below with the specified configuration settings.

Cat5e cross-over

Cable

RJ-45
Pins
IP address: 192.168.0.4 IP address: 192.168.0.3
Subnet mask 255.255.255.0 Subnet mask 255.255.255.0
Workgroup: TEST Workgroup: TEST
Figure 11: Test Bed Setup
In order to run the Software-based Monitoring Tool and carry out a capture session,
WinPcap 4.0 had to be installed on the machine meant to monitor the network. A
cross-over cable was terminated using Cat5e Ethernet cable according to the cabling
standards (T568A and T568B) shown in tables 2 and 3 below.

Table 2: T568A Standard

Table 3: T568B Standard

31
One end of the RJ-45 pin was terminated using a crimping tool and T568A standard
whilst the other end was terminated using another RJ45 pin and T568B standard.

Thereafter a cable tester was used to verify that the cross-over cable had been
properly terminated.

4.1 Evaluation of Results

The Monitoring tools was tested on a peer-to-peer network which was set up as shown
previously in figure 11 and the WinPcap 4.0 driver installed on the machine where the
software was residing. Results were obtained as follows.

4.1.1 Captured Devices

Figure 12: Captured devices

From the illustration in figure 12 above, the software was able to capture the list of
Network Devices resident on the machine when run on a PC with the following
specifications;

32
System:
Microsoft Windows XP Professional
Version 2002
Computer:
Intel(R)
Celeron(R) CPU 2.40 GHz
384 MB of RAM
Network Cards
Realtek RTL8139/810X Family PCI Fast Ethernet NIC

4.1.2 IP Information
The Monitoring tool was also able to capture IP address information as illustrated in
figure13 below

Figure 13: IP address information

33
4.1.3 Capture Statistics
The actual capture session consisted of gathering statistics like time stamps, header
lengths and header time values as shown in the snapshot figure 14 below;

Figure 14: Captured statistics information

4.2 Applications
The developed software operates in mainly Ethernet and FDDI networks thereby
serving having a variety of applications.

Some practical applications of the software designed are as follows;

a) It can be used in Internet Café‟s by network administrators.
b) The software can also be used in corporate organizational intranets.
c) The software can be used to ensure network security.
d) End-users can also find the software useful in evaluating how the network is
performing.

34
4.3 Limitations
The limitations encountered while carrying out the design and implementation of the
project included the following;
The public API WinPcap had limited capabilities in terms of capturing data.
Since capturing of frames was limited to promiscuous mode, the software is
thus most efficient when implemented in networks utilizing shared media
devices like Hubs.
There was no readily available access of a TCP/IP network to use as a test bed
when analyzing the designed software‟s functionality.
WinPcap does not offer support for Token Ring networks.

Time and funds were also another limiting factor hindering the designer/researcher in
exploiting the software‟s potential to greater depths.

4.4 Scheduling of Tasks

The scheduling of tasks required for completion of the project was carried out
systematically using a work breakdown structure as illustrated in appendix B. A
Tracking Gantt chart is also included in Appendix C with a clearer picture of how the
activities were carried out and the allocation of resources.

4.5 Project Costing

The cost of the project activities in entirety from inception to completion amounted to
a total of UgX. 1. 051, 000. A detailed description of the costing for the project items
is included in Appendix A. Where necessary however, improvising was done so as not
to lose track of the project‟s time frame target.

Note: The reader must bear in mind that the costs involved in designing, testing and
implementing of all the project activities as stated is not representative of the
actual cost of the designed “Software-based Monitoring Tool”.

4.6 Summary
This chapter summarizes how the testing of the software and evaluation of the
captured data was carried out so as to ensure the monitoring tool was operating to the
desired or acceptable levels in accordance with its objectives. It also lists the possible
applications of the monitoring tool, its limitations and gives a summary how project
work was broken down to achieve the desired objectives.
35
 CONCLUSION

In any network segment, it is expected that end-users will contribute equal or unequal
amounts of the overall bandwidth capacity available. However, because bandwidth is
a limited and costly resource, constant monitoring of its usage is essential in
maintaining optimal network performance efficiency. The Software-based Monitoring
tool designed was thus able to satisfy its aim and specific objectives though with some
limitations as earlier stated in Chapter four.

This software was tested on a peer-to-peer network and a shared dial-up internet
connection with the intention of discovering common network performance problems
and so as to develop innovative solutions to the problems that were identified. It must
be stated however that the Software-based Monitor is an informative tool meant for
network administrators to use in identifying network bottlenecks and thereafter take
corrective action.

The following are the achievements which have been made in this project using the
designed software. The monitoring tool was able to obtain;
i) IP address configuration information for the PC in use.
IP address of PC
Address Family number in use on PC
Address Family name in use on PC
Subnet mask of PC in both decimal and IP address form
Broadcast address of PC
ii) Frame capture statistics including the following:
Header lengths
Header time values
Time stamps of the frames transiting the network
iii) Extraction of source and destination information of PCs in a particular
network segment including the following
Active ports i.e. for the source and destination PC‟s
Source IP address
Destination IP Address

36
From the project costing (Appendix A) and comparative studies carried out about
existing monitoring solutions, it can thus be stated that the software-based monitoring
approach is generally much more cheater than the hardware alternative.

Software monitoring tools also offer the added advantage of flexibility in design and
maintenance work and costs. This is because software can be easily re-customized to
user-specific needs so as to meet future demands.

37
 RECOMMENDATIONS

Considering the conclusions drawn from the project work, a number of

recommendations can be made as regards the project in question as follows;
Best results are obtained when the Software-based Monitoring tool is run on
network segments utilizing hubs or shared media.
Being a versatile tool with a user-friendly interface, I would recommend this
software to be used by network administrators monitoring various network
segments e.g. in Internet Café‟s.

Further Research
Shortfalls/limitations in the software-based approach were discussed in Chapter four‟s
limitations with the hope of laying out a framework for future development of this
project to set off and perhaps provide a more complete and robust solution to the
problem.

Since the software is intended to be open source, I recommend this project for further
research so as to exploit its full potential. The source code can be obtained upon
request in writing using the researchers email indicated at the end of the abstract.

38
 BIBLIOGRAPHY

Textbook References
1. Allan Dix, (1996), UNIX Network Programming with TCP/IP
2. Aptech Worldwide, (2000), Logic Building with C, New Jersey.
3. H. Gilbert, (1995), Introduction to TCP/IP, PCLT.
4. Jesse Liberty, (1998), Teach Yourself C++ Programming in 21 Days, Sam‟s
Publishing, Indianapolis
5. Marshall T. Rose, (1991), The Simple Book: An introduction to management
of TCP/IP-based internets, Prentice-Hall.
6. Mike Pastore and Emmett Dulaney, (2004), Security+ Study Guide, (2nd
Edition), San Francisco.
7. Tim Parker, (2005), Teach Yourself TCP/IP in 14 Days, (2nd Ed.), (2nd
Edition), Sam‟s Publishing, Indianapolis.
8. Todd Lammle, (2005), CCNA: Cisco ®Certified Network Associate Study
Guide, (5th Edition), San Francisco
9. V. Jacobson, C. Leres and S. McCanne (1994), Libpcap, (1st Edition),
Lawrence Berkeley Laboratory, Berkeley, California.

Catalogues
1. S. McCanne and V. Jacobson, (2003), The BSD Packet Filter: A New
Architecture for User-level Packet Capture, Proceedings of the 1993 Winter
USENIX Technical Conference, San Diego, CA.

Technical Reports and Journals

1. Guy Antony Halse, (2003), Novel Approaches to the Monitoring of Computer
Networks, Masters Thesis, Rhodes University, South Africa.
2. John Briscoe, (2000), Understanding the OSI 7-layer model
3. Loris Degioanni, (2000), Development of an Architecture for Packet Capture
and Network Traffic Analysis, Politecnico di Torino, Turin, Italy.
4. Loris Degioanni, Mario Baldi, Fulvio Risso and Gianluca Varenni, (2003),
Profiling and Optimization of Software-Based Network Analysis Applications,
Proceedings of the 15th IEEE Symposium on Computer Architecture and High
Performance Computing, Sao Paulo, Brasil.

39
Websites
1. en.wikipedia.org/wiki/networkmonitoring
2. http://lastbit.com/trafmeter
3. http://netgroup/winpcap
4. http://winpcap.mirror.ethereal.com/misc/faq.htm
5. http://www.cisco.netacad.net
6. http://www.codeproject.comhttp://erwan.l.free.fr
7. http://www.hcibook.com/alan
8. http://www.hiraeth.com/alan/tutorials
9. http://www.iec.org
10. http://www.nirsoft.net. http://www.tcpdump.org/wpcap.html
11. http://www.solarwinds.net
12. http://www.tcpdump.org/wpcap.html
13. http://www.winpcap.org
14. http://www.winpcap.org/docs
15. nhse.cs.rice.edu/nhsereview/cms/chapter6.html
16. www.100best-web-hosting.com/termn.html
17. www.course.com/careers/glossary/programming.cfm
18. www.faqs.org/docs/artu/apa.html
19. www.sabc.co.za/manual/ibm/9agloss.html

Manuals
1. Borland‟s C++ Builder 6.0 Help Files
2. Microsoft/Windows Standard Development Kit (SDK)
3. The WinPcap Team, (2007), WinPcap Documentation 4.0, CACE
Technologies, Politecnico di Torino, Turin, Italy.

40
 APPENDICES

Appendix A: Project Costing

Item Qty Unit (UgX) Total (UgX)
Computer 1 set 750,000 750,000
C++ Builder 1 100,000 100,000
RJ-45 pins 6 pcs 500 3,000
Ethernet cable (CAT 5e) 8 meters 1,000 8,000
Cable Tester 1 pc 55,000 60,000
Network Interface Cards 2 pcs 15,000 40,000
Crimping tool 1 pc 35,000 30,000
Internet time 20 hrs 25 30,000
Transport 1 30,000 30,000
TOTAL 1,051,000

41
Appendix B: Work Breakdown Structure

42
Appendix C: Tracking Gantt chart

43
 Appendix D: Well Known Port Numbers
Port No Port Name
1 TCPMUX TCP Port Service Multiplexer
5 RJE Remote Job Entry
7 ECHO
9 DISCARD
11 USERS Active Users
13 DAYTIME
17 Quote of the Day
19 CHARGEN Character Generator
20 FTP-DATA File Transfer (Data Channel)
21 FTP File Transfer (Control Channel)
23 TELNET
25 SMTP Simple Mail Transfer
27 NSW-FE NSW User System FE
29 MSG-ICP
31 MSG-AUTH MSG Authentication
33 DSP Display Support Protocol
35 Private Printer Server
37 TIME
39 RLP Resource Location Protocol
41 GRAPHICS
42 NAMESERVER Host Name Server
43 NICNAME Who Is
49 LOGIN Host Protocol
53 DOMAIN Name Server
67 BOOTPS Bootstrap Protocol Server
68 BOOTPC Bootstrap Protocol Client
69 TFTP Trivial File Transfer Protocol
79 FINGER
101 HOSTNAMENIC Host Name Server
102 ISO-TSAP ISO TSAP
103 X400 X.400
104 X400SND X.400 SND

44
105 CSNET-NSCSNET Mailbox Name Server
109 POP2 Post Office Protocol v2
110 POP3 Post Office Protocol v3
111 SUNRPC SUN RPC Portmap
137 NETBIOS-NS NETBIOS Name Service
138 NETBIOS-DGMNET BIOS Datagram Service
139 NETBIOS-SSNNET BIOS Session Service
146 ISO-TP0
147 ISO-IP
150 SQL-NET
153 SGMP
156 SQLSRV SQL Service
160 SGMP-TRAP5 SGMP TRAPS
161 SNMP
162 SNMPTRAP
163 CMIP-MANAGE CMIP/TCP Manager
164 CMIP-AGENT CMIP/TCP Agent
165 XNS-COURIER Xerox Network
179 BGP Border Gateway Protocol

45
 Appendix E: Exported WinPcap Functions

Function Name Function Address

bpf_dump @1 bpf_dump
bpf_filter @2 bpf_filter
bpf_image @3 bpf_image
bpf_validate @4 bpf_validate
endservent @5 endservent
eproto_db @6 eproto_db
getservent @7 getservent
install_bpf_program @8 install_bpf_program
pcap_breakloop @9 pcap_breakloop
pcap_close @10 pcap_close
pcap_compile @11 pcap_compile
pcap_compile_nopcap @12 pcap_compile_nopcap
pcap_createsrcstr @13 pcap_createsrcstr
pcap_datalink @14 pcap_datalink
pcap_datalink_name_to_val @15 pcap_datalink_name_to_val
pcap_datalink_val_to_description @16 pcap_datalink_val_to_description
pcap_datalink_val_to_name @17 pcap_datalink_val_to_name
pcap_dispatch @18 pcap_dispatch
pcap_dump @19 pcap_dump
pcap_dump_close @20 pcap_dump_close
pcap_dump_file @21 pcap_dump_file
pcap_dump_flush @22 pcap_dump_flush
pcap_dump_ftell @23 pcap_dump_ftell
pcap_dump_open @24 pcap_dump_open
pcap_file @25 pcap_file
pcap_fileno @26 pcap_fileno
pcap_findalldevs @27 pcap_findalldevs
pcap_findalldevs_ex @28 pcap_findalldevs_ex
pcap_freealldevs @29 pcap_freealldevs
pcap_freecode @30 pcap_freecode
pcap_get_airpcap_handle @31 pcap_get_airpcap_handle
pcap_geterr @32 pcap_geterr

46
pcap_getevent @33 pcap_getevent
pcap_getnonblock @34 pcap_getnonblock
pcap_is_swapped @35 pcap_is_swapped
pcap_lib_version @36 pcap_lib_version
pcap_list_datalinks @37 pcap_list_datalinks
pcap_live_dump @38 pcap_live_dump
pcap_live_dump_ended @39 pcap_live_dump_ended
pcap_lookupdev @40 pcap_lookupdev
pcap_lookupnet @41 pcap_lookupnet
pcap_loop @42 pcap_loop
pcap_major_version @43 pcap_major_version
pcap_minor_version @44 pcap_minor_version
pcap_next @45 pcap_next
pcap_next_etherent @46 pcap_next_etherent
pcap_next_ex @47 pcap_next_ex
pcap_offline_filter @48 pcap_offline_filter
pcap_offline_read @49 pcap_offline_read
pcap_open @50 pcap_open
pcap_open_dead @51 pcap_open_dead
pcap_open_live @52 pcap_open_live
pcap_open_offline @53 pcap_open_offline
pcap_parsesrcstr @54 pcap_parsesrcstr
pcap_perror @55 pcap_perror
pcap_read @56 pcap_read
pcap_remoteact_accept @57 pcap_remoteact_accept
pcap_remoteact_cleanup @58 pcap_remoteact_cleanup
pcap_remoteact_close @59 pcap_remoteact_close
pcap_remoteact_list @60 pcap_remoteact_list
pcap_sendpacket @61 pcap_sendpacket
pcap_sendqueue_alloc @62 pcap_sendqueue_alloc
pcap_sendqueue_destroy @63 pcap_sendqueue_destroy
pcap_sendqueue_queue @64 pcap_sendqueue_queue
pcap_sendqueue_transmit @65 pcap_sendqueue_transmit
pcap_set_datalink @66 pcap_set_datalink
pcap_setbuff @67 pcap_setbuff
pcap_setfilter @68 pcap_setfilter
47
pcap_setmintocopy @69 pcap_setmintocopy
pcap_setmode @70 pcap_setmode
pcap_setnonblock @71 pcap_setnonblock
pcap_setsampling @72 pcap_setsampling
pcap_setuserbuffer @73 pcap_setuserbuffer
pcap_snapshot @74 pcap_snapshot
pcap_stats @75 pcap_stats
pcap_stats_ex @76 pcap_stats_ex
pcap_strerror @77 pcap_strerror
wsockinit @78 wsockinit

48